feat: add reflex cloud scan security review command

[adhami3310]

What

Adds reflex cloud scan, a Reflex-aware security review command under the reflex cloud CLI group (ENG-9640). It scans an app's source for Reflex-specific security and logic flaws (e.g. exposed setters on trust-sensitive vars, secrets leaked as frontend vars, blocking calls in async event handlers).

How it works

1. Zips the app source from the target directory (default .), pruning build/dependency dirs (.web, node_modules, .venv, …) during the walk and skipping over-cap files.
2. Requests a presigned upload URL, PUTs the archive straight to object storage, then submits the stored object by key.
3. Polls the job to completion and renders findings, sorted by severity, with color-coded badges and concrete fix recommendations.

Backed by POST/GET /api/v1/agents/security-review/jobs (Enterprise-tier gated).

Flags

• [DIRECTORY] — app root to scan (default current dir)
• --token — auth token (else uses stored login)
• --json — raw result payload
• --fail-on {critical|high|medium|low|none} — exit non-zero at/above this severity (default low); none to always exit 0
• --loglevel, --interactive/--no-interactive

Testing

• Unit tests for the CLI command (zip exclusion, polling, --json, --fail-on gating, markup-escaping, error paths) and the hosting-layer client (three-step upload flow, upload/submit failures, server-detail passthrough).
• Manually verified end-to-end against a local Cloud backend: auth → presigned upload → submit → poll → colorized findings.
• ruff, ruff format, pyright, and the full tests/units/reflex_cli suite (219) pass.

Notes

• The endpoint is gated behind the Enterprise tier; a non-Enterprise account gets the server's 403 detail surfaced verbatim.
• .env* files are currently included in the upload (so the reviewer can flag committed secrets) — open to excluding them if preferred.

[linear-code]

ENG-9640

[codspeed-hq]

Merging this PR will not alter performance

✅ 26 untouched benchmarks
⏩ 8 skipped benchmarks¹

---

_{Comparing khaleel/eng-9640-add-cli-command-for-security-scan (c6a6752) with main (6f5c80b)²}

Footnotes

1. 8 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

2. No successful run was found on main (e4a9365) during the generation of this report, so 6f5c80b was used instead as the comparison base. There might be some changes unrelated to this pull request in this report. ↩

[greptile-apps]

Greptile Summary

This PR introduces reflex cloud scan, a new CLI command under reflex cloud that zips an app's source directory, uploads it to object storage via a presigned URL, submits it to a backend security-review job, polls for completion, and renders color-coded findings by severity. Two hosting-layer functions (submit_security_review, get_security_review) back the command, and comprehensive unit tests cover the full flow.

• scan.py: Implements the full command lifecycle — zip, upload, poll, render, and severity-gated exit. Directory pruning and per-file/archive size caps keep uploads lean.
• hosting.py: Adds the three-step presigned-upload flow; the unguarded dict[\"key\"] accesses on server responses can surface raw KeyErrors instead of the user-friendly SecurityReviewError if the server returns an unexpected shape.
• Tests: Cover zip exclusion, polling, --json, --fail-on gating, markup escaping, and all error paths — thorough and well-structured."

Confidence Score: 3/5

The command flow is sound but the hosting-layer functions can leak raw KeyError tracebacks to the user if the server returns a well-formed HTTP 200 with an unexpected JSON body, bypassing the clean error-handling path in scan_command.

When upload[url], upload[key], or response.json()[job_id] fail to match the expected shape, the resulting KeyError is not caught by the except hosting.SecurityReviewError handler in scan_command. A user hitting a server-side schema change or edge-case response would see a raw Python traceback instead of the intended friendly error message. The polling logic, zip pruning, severity gating, and test coverage are all solid.

packages/reflex-hosting-cli/src/reflex_cli/utils/hosting.py — the three dict-key accesses on server responses in submit_security_review need try/except KeyError guards to keep all error paths flowing through SecurityReviewError.

Important Files Changed

Filename	Overview
packages/reflex-hosting-cli/src/reflex_cli/utils/hosting.py	Adds submit_security_review and get_security_review hosting-layer functions; unguarded dict key access on server JSON can surface raw KeyErrors instead of the user-friendly SecurityReviewError, and a hardcoded 120-second timeout should be a named constant
packages/reflex-hosting-cli/src/reflex_cli/v2/scan.py	New reflex cloud scan CLI command — zips app source, uploads via presigned URL, polls for results, renders findings; minor logic inconsistency around unknown-severity handling in the exit gate
tests/units/reflex_cli/v2/test_scan.py	Comprehensive unit tests covering the full scan command lifecycle, zip exclusion, JSON output, polling, fail-on gating, markup escaping, and error paths — well-structured and thorough
tests/units/reflex_cli/utils/test_hosting.py	Adds hosting-layer tests for the three-step upload flow, upload/submit failures, and server-detail passthrough — good coverage of the new client functions
packages/reflex-hosting-cli/src/reflex_cli/v2/deployments.py	Registers the new scan sub-command under the hosting_cli Click group — minimal, correct change
packages/reflex-hosting-cli/news/6632.feature.md	Changelog entry for the new reflex cloud scan command

_{Reviews (1): Last reviewed commit: "feat: add `reflex cloud scan` security r..." | Re-trigger Greptile}